System Audit is a mandatory technical and compliance assessment introduced by SEBI and implemented by the National Stock Exchange (NSE). Its primary purpose is to ensure that every trading member or broker operates secure, reliable, and compliant IT systems capable of safeguarding investors and market operations. Note that this audit isn’t a superficial formality. It examines everything that powers a broker’s trading ecosystem, like hardware, software, network, cybersecurity controls, cloud systems, disaster recovery, and even data privacy measures. In short, it’s a deep inspection of how well a broker’s technology infrastructure aligns with SEBI’s system and cybersecurity frameworks.

SEBI’s circular dated January 31, 2025, established a uniform, technology-driven monitoring and supervision mechanism for system audits across all stock exchanges. Following this, NSE released detailed frameworks in April 2024 and August 2025 specifying how audits are conducted and how auditors are empanelled.

Why SEBI Introduced a New Framework

Technology has become the backbone of modern trading. But it’s also a major risk vector. Some of them include system outages, algorithmic failures, ransomware, and data breaches, which have become increasingly common. To address these risks, SEBI mandated that:

• System audits should be standardized, monitored online, and verified for authenticity.
• Auditors’ credentials and independence should be strictly regulated.
• Every audit must be traceable, from on-site verification to final report submission, through a secure online portal managed by each stock exchange.

What the System Audit Covers

The system audit examines every component of a broker’s IT setup. NSE’s detailed “Terms of Reference” for Cyber Security and System Audit define key focus areas such as:

Governance & Policy

• Existence of a board-approved Cyber Security and System Audit policy.
• Roles and responsibilities of the Designated Officer and Technology Committee.
• Periodic policy reviews and incident reporting mechanisms.

IT Infrastructure & Network Security

• Configuration and hardening of servers, routers, and firewalls.
• Access control policies and privilege management.
• Patch management, change management, and capacity planning.

Cyber Resilience

• Implementation of Security Operations Centers (SOCs), monitoring tools, and alert systems.
• Incident detection, response, and recovery capabilities.
• Mandatory reporting of cyber incidents to SEBI, CERT-In, and NSE within 6 hours.

Cloud, Data, and Vendor Controls

• Cloud security and data localization checks.
• Validation of third-party vendor compliance (SOC-II, ISO, or equivalent).
• Protection of personally identifiable and financial data.

Disaster Recovery (DR) and Business Continuity

• Validation of DR drills and backup mechanisms.
• Testing of recovery time objectives (RTO) and recovery point objectives (RPO).

Every observation or non-compliance must be supported by evidence, such as logs, screenshots, or configuration details, and retained for at least three years.

Who Needs to Undergo a System Audit

As per NSE and SEBI, all trading members and stockbrokers are subject to the System Audit, though the frequency and depth depend on their classification:

Category	Description	Audit Frequency
Type I	Basic brokers with limited infrastructure	Annual
Type II	Brokers using internet-based or dealer terminals	Annual
Type III	Brokers using algorithmic trading or API-based systems	Half-Yearly
QSB (Qualified Stock Brokers)	Large brokers meeting SEBI’s “Qualified Stock Broker” criteria	Half-Yearly or as prescribed

Each broker must appoint an SEBI/NSE empanelled auditor to conduct the audit and submit:

• Preliminary Audit Report (by June 30 or as per cycle)
• Corrective Action Taken Report (ATR) (by September 30 or within 3 months)

Delays in submission can attract daily monetary penalties, as specified in NSE’s Annexure C. It mentions fine up to Rs 5,000 per day for QSBs and Rs 2,500 per day for non-QSBs beyond the grace period.

What Happens After the Audit

After the audit:

• The System Audit Report and Action Taken Report (ATR) must be uploaded to NSE’s web portal.
• The same auditor who conducted the audit must validate the ATR.
• For QSBs, both reports must be approved by their Board and Standing Committee on Technology (SCOT) before submission.
• Stock exchanges may perform surprise inspections to verify that audits were genuinely conducted.
• Repeated deficiencies can lead to de-empanelment of auditors and financial penalties for brokers.

Why This Matters for Trading Members

For any trading member, the System Audit isn’t just about compliance; it’s about business resilience. Non-compliance can result in:

• Suspension of trading rights,
• Penalties from NSE/SEBI, and
• Loss of investor trust.

More importantly, the audit framework helps brokers identify real-world vulnerabilities, like misconfigured servers, outdated firewalls, insecure cloud storage, or poor access control, before they can be exploited.

Key Takeaways for Organizations

1. Start early: The audit process involves documentation, field validation, and multiple approvals.
2. Select an empanelled auditor only through NSE’s official portal. Kratikal is now empanelled by NSE for system audit.
3. Close audit observations quickly; ATR delays invite penalties.
4. Use the audit as a security improvement exercise, not just a regulatory check.
5. For QSBs, ensure your Technology Committee and Board actively review reports before submission.

How Kratikal Can Help?

Here’s how an empanelled auditor performs Security Audit:

1. Verifying the Broker’s Technology Ecosystem

The auditor’s first responsibility is to understand and evaluate the broker’s complete IT setup –  every application, infrastructure component, and interface used in trading or client data management. This includes:

• Trading platforms (OMS, RMS, Algo systems)
• Internet-based trading portals and APIs
• Data centers, DR sites, and cloud-hosted systems
• Access control mechanisms, network architecture, and vendor integrations

The auditor inspects not just configurations but the governance framework behind them, like policies, logs, approvals, and internal controls.

2. Conducting Onsite and Remote Assessments

SEBI’s January 31, 2025 circular mandates that the entire audit lifecycle must be monitored through an online portal, ensuring transparency.

When the audit begins, the auditor:

• Logs into the exchange’s web portal from the broker’s premises.
• The system captures geo-location, confirming the physical visit.
• Uploads audit start and end times, system areas covered, and persons interviewed.
• Collects evidence like system screenshots, logs, server configurations, and test results.

This ensures the audit is not a desk review but a verifiable field-based exercise.

3. Evaluating Critical Controls

Auditors must validate compliance against NSE’s Terms of Reference (TOR) for Cyber Security and System Audit. They test and document findings on multiple fronts:

Domain	What the Auditor Checks
Governance	Board-approved policies, Technology Committee minutes, and role of the Designated Officer.
Access Controls	User rights, privilege management, MFA, maker-checker workflows.
Data Security	Encryption of PII, DLP implementation, backup and recovery mechanisms.
Network & Infrastructure	Firewall, IDS/IPS, VPN, malware protection, and patch management.
Incident Response	DR drills, incident reporting to CERT-In/NSE, and log preservation.
Vendor Compliance	SOC-II reports, SaaS/PaaS/IaaS configurations, ISO certifications.

This detailed TOR review ensures that brokers’ systems are not only operational but resilient and compliant.

4. Reviewing Technical Glitch Management

Auditors also confirm whether the broker:

• Properly reported technical glitches to the Exchange within prescribed timelines.
• Conducted root-cause analyses (RCAs) and implemented preventive measures.
• Performed capacity planning in proportion to client load or transaction volume.

They cross-check this with SEBI’s Technical Glitch Framework, ensuring issues like system downtime or trading lags are tracked and fixed methodically.

5. Performing Vulnerability and Security Testing

Where required, auditors supervise or validate:

• Vulnerability Assessment and Penetration Testing (VAPT) of servers, firewalls, and trading systems.
• Scans for open ports, weak encryption, outdated patches, and misconfigurations.
• Results and remediation timelines ensure that vulnerabilities are closed within 3 months of reporting.

Auditors ensure only CERT-In empanelled vendors perform such testing and the final report is approved by the broker’s Technology Committee.

6. Validating and Submitting Audit Reports

After completing fieldwork:

• The auditor fills out the standardized online audit report template on the Exchange portal.
• Submits it to the broker for review and signs digitally.
• Reviews and validates the Action Taken Report (ATR) submitted later by the broker to close observations.

7. Assisting Brokers in Compliance and Risk Improvement

A good auditor does more than tick boxes. They help brokers interpret SEBI and NSE requirements and close compliance gaps effectively:

• Recommending control upgrades (e.g., SOC setup, LAMA log retention, MFA implementation).
• Advising on documentation like DR policies, change logs, cyber incident SOPs.
• Helping prepare for surprise NSE inspections or follow-up audits.
• Training IT staff on recurring vulnerabilities or policy gaps.

This guidance ensures that brokers not only pass the audit but also mature their cyber and system resilience posture.

In the End

The NSE System Audit represents a crucial evolution in India’s financial compliance landscape. It transforms audits from paperwork-based verification to data-driven, technology-supervised assurance. For brokers and trading members, aligning with this framework isn’t optional; it’s a necessary investment in operational integrity, investor confidence, and market stability. Organizations that treat the System Audit as a strategic governance tool, not a regulatory burden, will ultimately find themselves better equipped to face both regulatory scrutiny and cyber threats. Get in touch with Kratikal!

FAQs